not workind both the command 😞
"\sfoo\s"
".\sfoo\s."
still getting foobar
@Meharkant123 This thread is almost 6 years old. For better chances at a helpful response, please post a new question.
First, Splunk normally searches by words, not by characters. So "foosball" will always be eliminated, because there is no "word" foo.
"foo.bar" and "bar.foo" are trickier because you have to understand what defines a "word" in Splunk. Whitespace always delimits words, but internal punctuation may/may not. It depends on the segmentation. Inner segmentation says that punctuation delimits words, just like whitespace. Outer segmentation says that only whitespace delimits words. By default, Splunk indexes both ways, and calls it full segmentation.
So normally, when you search for "foo", you will get "foo.bar" and "bar.foo".
To take more control of how Splunk searches, use the regex command. It allows you to keep or eliminate events that match a regular expression. This will let you search with case sensitivity or by characters.
For example:
sourcetype=yoursourcetype foo
| regex _raw=".*\sfoo\s.*"
will match any event that has "foo" in it, where foo is not capitalized and is surrounded by white space.
Note that I also included foo in the initial search. Why? Well, it is more efficient to eliminate all the events that don't have foo anywhere in the event before you apply the regex. For other kinds of searches, that might not be helpful, though.
Excellent answer. I'll just add that you could also omit the leading and trailing .*
because Splunk will match on that implicitly anyway.
regex _raw="\sfoo\s"